ARTICLE
8 August 2024

New York State Attorney General Issues Guidance On Privacy Controls And Web Tracking Technologies

WE
Wilson Elser Moskowitz Edelman & Dicker LLP

Contributor

More than 800 attorneys strong, Wilson Elser serves clients of all sizes across multiple industries. It maintains 38 domestic offices, another in London and enjoys more extensive international reach as a founding member of Legalign Global.  The firm is currently ranked 56th in the National Law Journal’s NLJ 500.
Regulation of consumer privacy, including the use of cookies and other tracking technologies, is top of mind for many state regulators, as evidenced by the recent adoption of 19...
United States New York Privacy

Regulation of consumer privacy, including the use of cookies and other tracking technologies, is top of mind for many state regulators, as evidenced by the recent adoption of 19 comprehensive state privacy laws in the past few years. New York has not yet adopted a comprehensive data privacy law. Yet, on July 30, 2024, New York's Office of Attorney General (OAG) published two guides, one for businesses and one for consumers, addressing privacy controls and online tracking on the web: Website Privacy Controls: A Guide for Businesses and A Consumer Guide to Web Tracking.

The OAG makes it clear that businesses' privacy practices and statements are subject to New York's consumer protection laws. A recent OAG investigation revealed that many businesses are making mistakes in their deployment of tracking technologies, resulting in misleading statements to consumers about their privacy choices. And, as the Attorney General reminds us, misleading statements on websites may amount to deceptive acts and practices in violation of consumer protection laws.

The two guides address how websites may track consumers via cookies as well as without cookies, how cookie pop-ups may be phrased (information, opt-out and opt-in types), and how the language in the cookie pop-ups may be misleading. This is welcome guidance for legal privacy professionals who need to understand the technical aspects of cookies at a high level to assist them in spotting potential compliance issues. It also is a good reminder that when it comes to privacy compliance, it is a "whole business" issue that demands ongoing conversations between Legal, IT, Marketing, Customer Service and other departments to understand and address the impact of each department's operations on the business's overall compliance.

Common Mistakes Flagged by the OAG's Investigation

The New York OAG analyzed third-party tags and privacy controls on a variety of websites over the course of several months, finding that on more than a dozen high-traffic websites (mostly, e-commerce retailers selling apparel, tickets to live events or books) the privacy controls did not work as described. For instance, website visitors continued to be tracked even after they opted out of tracking. The operators of the websites that were flagged during the investigation were notified and reportedly corrected their practices. Other e-commerce platforms should take note as they may be committing the same offenses.

Uncategorized or Miscategorized Tags and Cookies

If your business is using a consent-management tool that allows a consumer to opt out of some of the cookies, it is important to categorize the cookies properly. Typical cookies are necessary, functional, analytics, advertising and social media cookies. Most consent-management tools allow a consumer to opt out of each of the categories of cookies except the necessary ones. The guide points out that cookies are commonly mislabeled, which could result in not accurately honoring a consumer's opt-out choice.

Misconfigured Tools

Where businesses use a consent-management tool and a tag-management tool, these tools must be properly configured to operate together. For example, where a consumer elects to opt out of tracking via the consent-management tool, this information needs to be correctly relayed to the tag-management tool so that the relevant cookies no longer fire.

Hardcoded Tags

Tags may not be hardcoded such that consent-management tools are unable to control and implement privacy selections.

Tag Privacy Settings

Third-party cookie providers usually have settings allowing a business to limit or restrict how data from cookies may be used, sometimes called a limited data use or restricted data processing setting. The OAG's investigation reveals, however, that if a business selects the restricted processing setting and relies on the third-party provider to limit data use henceforth, such reliance may be misplaced.

For example, third-party cookie providers may be offering the restricted data processing feature only in the jurisdictions with comprehensive consumer privacy laws. If a business uses the restricted processing feature and represents to its consumers that the use of data will be restricted, this may amount to a misleading statement in violation of consumer protection laws or a failure to honor a consumer's privacy choice. It is therefore important for businesses to understand the limitations of third-party cookie provider settings. This may require asking the third-party cookie provider for information that is not publicly available. It may be appropriate to do so as part of the process of entering into a data-sharing agreement with the cookie provider, which is a requirement under the comprehensive privacy laws in other states.

Incomplete Understanding of Tag Data Collection and Use

Given that businesses bear responsibility for accurately disclosing their cookie practices and honoring consumer privacy choices, it is important to fully understand the nature and scope of information collected or shared before the business decides to deploy any tags.

Cookie-less Tracking

While cookies are a common tracking technology, it is not the only one. Businesses should avoid making statements suggesting that an opt-out from cookies means that the consumer's online activity will not be tracked. For example, other technologies such as device fingerprinting can be used to uniquely identify a consumer's device by combining technical information the device shares with websites. A website's privacy control may not be configured to disable cookie-less tracking. Businesses need to understand the types of tracking technologies they employ and whether their privacy control can allow a consumer to opt out, before making a transparent disclosure to consumers about the available choices. The OAG's guides also suggest some of the strategies for consumers to limit tracking.

Suggested Workflow

The OAG's guide for businesses sets out the following key processes that businesses should consider implementing to help identify and prevent issues.

  • Designate a qualified individual (or a group of individuals) to manage the use of tracking technologies. Such individuals must have appropriate training both on the business's policies and on the technologies used.
  • Investigate new tracking technology tools to evaluate the nature and scope of the data to be collected before deploying such technology. This step should involve liaising with the developer to gain an understanding of the technology.
  • Configure and categorize new tracking technologies appropriately, to avoid mischaracterizing tags.
  • Test tracking technologies to ensure that they are operating as intended.
  • Review tracking technology policies and procedures regularly.

Lastly, the guide recommends that businesses collecting information on New York consumers ensure that statements about tracking technologies are accurate, avoid language that may be misleading and label buttons to clearly convey what they do. Large blocks of text should be avoided in privacy-related disclosures and controls, and options to decline tracking should not be deemphasized.

Conclusion

The concepts outlined in the new guides published by the New York OAG align with the comprehensive data privacy laws recently adopted by other states as well as with the FTC's guidance. The use of tracking technologies also is a significant current focus for regulators at the federal and state levels.

New York's guidance clarifying the OAG's focus areas in regard to online tracking technologies is therefore a welcome addition to every New York business's compliance toolkit. Companies collecting information on New York consumers should carefully review the guides' recommendations and implement the advice as appropriate, so as to avoid the risk of inadvertently making misleading statements to consumers that may lead to regulatory enforcement actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More